Communicating with CEOs

Posted September 24, 2014 by riskviews
Categories: Decision Makng

Tags:

 The point of communication isn’t to speak. It’s to be heard and understood — to have influence and motivate action. Effective communication requires knowing what information you want to convey and what action you want to motivate, but that’s not enough. You must also know your audience — in this case CEOs—well enough to determine what factors will truly resonate and motivate them to take the desired action based on your information.

CEO’s often are not thinking about their key decisions in the same statistical terms that a risk manager or other quantitative analyst would favor.   Several different studies show that most experienced decision makers do not apply statistical thinking either.  Instead they apply a natural decision making process assisted liberally by heuristics. 

CEO’s and other leaders also commonly have different perspectives on priorities than risk managers and analysts.  Analysts will tend to see the world “realistically” with a balance between risks and rewards, while CEO’s may have reached their position, in part, because they see the world “optimisticslly” as containing plenty of opportunities where rewards are much more likely than overstated risks.  Of course, from the perspective of the CEO, the analysts are “pessimistic” and they themselves are “realistic”. 

To communicate with CEO’s, risk managers and analysts need to learn to frame the results of their work in terms that make sense to CEO’s.  That will often be in terms of Natural Decision Making, Heuristics and Opportunities. 

For more on this topic, see Actuarial Review “How to Talk to a CEO“. 

 

Risk Culture, Neoclassical Economics, and Enterprise Risk Management

Posted September 22, 2014 by riskviews
Categories: Enterprise Risk Management, Risk Culture

Tags: , ,

Pyramid_of_Capitalist_System copyFinancial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.

Hierarchy Principle of Risk Management

Posted September 8, 2014 by riskviews
Categories: Business, Chief Risk Officer, Compliance, Enterprise Risk Management, ERM, Governence, Risk Culture

Tags: ,

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

  • Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
  • Jerome Kerviel at Soc Gen was doing the same.
  • The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

  1. it works to systematically determine the significance of all risk decisions, 
  2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
  3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
  4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Risk Culture and Enterprise Risk Management (1/2 Day Seminar)

Posted September 2, 2014 by riskviews
Categories: Cultural Theory of Risk, Risk Culture

Tags: ,

Afternoon of September 29 – at the ERM Symposium #ERMSYM

Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management. 

This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process. 

The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.

Speakers: 
Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago 
David Ingram, CERA, PRM, EVP, Willis Re

Registration

The History of Risk Management

Posted August 28, 2014 by riskviews
Categories: Risk Learning, Risk Management

Tags: ,

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 

 

 

Too Much Risk

Posted August 18, 2014 by riskviews
Categories: Correlation, Diversification, Enterprise Risk Management, Modeling, Risk Appetite, risk assessment, Risk Culture, Risk Management System

Tags: ,

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

  1. Misunderstanding the risk involved in the choices made and to be made by the organization
  2. Misunderstanding the risk appetite of the organization
  3. Misunderstanding the risk taking capacity of the organization
  4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

  1. Understands the risks
  2. Articulates and understands the risk appetite
  3. Understands the aggregate and remaining risk capacity at all times
  4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Insurers need to adapt COSO/ISO Risk Management to achieve ERM

Posted July 29, 2014 by riskviews
Categories: Enterprise Risk Management, risk assessment, Risk Identification, Risk Management System

Tags: ,

Both the COSO and ISO risk management frameworks describe many excellent practices.  However, in practice, insurers need to make two major changes from the typical COSO/ISO risk management process to achieve real ERM.

  1. RISK MEASUREMENT – Both COSO and ISO emphasize what RISKVIEWS calls the Risk Impressions approach to risk measurement.  That means asking people what their impression is of the frequency and severity of each risk.  Sometimes they get real fancy and also ask for an impression of Risk Velocity.  RISKVIEWS sees two problems with this for insurers.  First, impressions of risk are notoriously inaccurate.  People are just not very good at making subjective judgments about risk.  Second, the frequency/severity pair idea does not actually represent reality.  The idea properly applies to very specific incidents, not to risks, which are broad classes of incidents.  Each possible incident that makes up the class that we call a risk has a different frequency severity pair.   There is no single pair that represents the class.  Insurers risks are in one major way different from the risks of non-financial firms.  Insurers almost always buy and sell the risks that make up 80% or more of their risk profile.  That means that to make those transactions they should be making an estimate of the expected value of ALL of those frequency and severity pairs.  No insurance company that expects to survive for more than a year would consider setting its prices based upon something as lacking in reality testing as a single frequency and severity pair.  So an insurer should apply the same discipline to measuring its risks as it does to setting its prices.  After all, risk is the business that it is in.
  2. HIERARCHICAL RISK FOCUS – Neither COSO nor ISO demand that the risk manager run to their board or senior management and proudly expect them to sit still while the risk manager expounds upon the 200 risks in their risk register.  But a highly depressingly large number of COSO/ISO shops do exactly that.  Then they wonder why they never get a second chance in front of top management and the board.  However, neither COSO nor ISO provide strong enough guidance regarding the Hierarchical principal that is one of the key ideas of real ERM.    COSO and ISO both start with a bottoms up process for identifying risks.  That means that many people at various levels in the company get to make input into the risk identification process.  This is the fundamental way that COSO/ISO risk management ends up with risk registers of 200 risks.  COSO and ISO do not, however, offer much if any guidance regarding how to make that into something that can be used by top management and the board.  In RISKVIEWS experience, the 200 item list needs to be sorted into no more than 25 broad categories.  Then those categories need to be considered the Risks of the firm and the list of 200 items considered the Riskettes.  Top management should have a say in the development of that list.  It should be their chooses of names for the 25 Risks. The 25 Risks then need to be divided into three groups.  The top 5 to 7 Risks are the first rank risks that are the focus of discussions with the Board.    Those should be the Risks that are most likely to cause a financial or other major disruption to the firm.   Besides focusing on those first rank risks, the board should make sure that management is attending to all of the 25 risks.  The remaining 18 to 20 Risks then can be divided into two ranks.  The Top management should then focus on the first and second rank risks.  And they should make sure that the risk owners are attending to the third rank risks.  Top management, usually through a risk committee, needs to regularly look at these risk assignments and promote and demote risks as the company’s exposure and the risk environment changes.  Now, if you are a risk manager who has recently spent a year or more constructing the list of the 200 Riskettes, you are doubtless wondering what use would be made of all that hard work.  Under the Hierarchical principle of ERM, the process described above is repeated down the org chart.  The risk committee will appoint a risk owner for each of the 25 Risks and that risk owner will work with their list of Riskettes.  If their Riskette list is longer than 10, they might want to create a priority structure, ranking the risks as is done for the board and top management.  But if the initial risk register was done properly, then the Riskettes will be separate because there is something about them that requires something different in their monitoring or their risk treatment.  So the risk register and Riskettes will be an valuable and actionable way to organize their responsibilities as risk owner.  Even if it is never again shown to the Top management and the board.

These two ideas do not contradict the main thrust of COSO and ISO but they do represent a major adjustment in approach for insurance company risk managers who have been going to COSO or ISO for guidance.  It would be best if those risk managers knew in advance about these two differences from the COSO/ISO approach that is applied in non-financial firms.


Follow

Get every new post delivered to your Inbox.

Join 658 other followers

%d bloggers like this: